Foreign Accent 147
Food for Thought: The Fatal Flaw of IP Fragmentation
While discussing the defining features of the Internet Protocol, I casually
mentioned that the process of packet fragmentation and reassembly is fatally
flawed. This notion comes primarily from a fairly interesting observation I
had while writing this book. Although the concept is related to an active and
noticeable attack performed by an openly rogue entity (although it is not
easily traceable back to that entity), it is a unique and interesting flaw
inherent in the design of the Internet Protocol. It is not the result of a clearly
defined mistake, but more a collision of paradigms on different design
layers, both, curiously, specified by Jon Postel, one of the fathers of IP suite. I
have decided to include it here to close this chapter, as food for thought for
those interested in the pathology of computer flaws.
First, let’s look at the state of affairs today, or perhaps yesterday, as we are
dusting off a fairly old attack technique, mentioned previously in the TCP
discussion. The technique in question, blind spoofing, was first described by
Robert T. Morris in the mid ’80s.
12
It had its golden age a decade later, but
its significance has decreased ever since. We’ll focus on a specific example of
blind spoofing, that of injecting certain data into an existing session, to
disrupt it, to convince the server that its user has issued a specific command,
or to convince the user that they are getting a specific response from the
server. This technique is often referred to as connection hijacking.
Under normal circumstances, a malicious bystander, wanting to insert
data into an existing TCP stream, first needs to determine the sequence
numbers used by at least one of the parties. Even though such an attack is
highly time sensitive and must be targeted against a specific, existing
connection, it can be (and has been, many times) performed successfully
when the sequence numbers are predictable. In fact, in the late 1990s, many
tools were used to disrupt Windows TCP sessions to Internet Relay Chat
(IRC) networks (for amusement or other), exploiting the Windows weak
initial sequence number (ISN) selection algorithm; it was trivial to inject a
single RST packet here and there, kicking a person off the chat server. This is
what we called fun back then.
Today, the situation is a bit different. Thanks to the efforts of many
researchers (including the most humble author of these words), developers
have worked hard to make initial sequence numbers in TCP connections
more difficult to predict. Many attempts to improve the quality and strength
of sequence number generators in popular operating systems have, in the
end, rendered ISN prediction attacks harder, with few rather unnoteworthy
exceptions. Systems that use sequential ISN numbers are largely extinct; an
attacker, unable to determine the numbers used in a conversation with
another party, is forced to search the entire 32-bit space of possible values in
order to perform a precise data insertion attack (fewer if they only want to
abort or irrecoverably mangle the session). That’s some 4,294,967,296
combinations, and an attack like this requires the attacker to send an average
of about 80 GB of data in order for it to succeed. Needless to say, this is not
considered particularly feasible.